One of federal Parliament’s most powerful joint committees has demanded that government agencies unable to meet an August 2015 deadline to get crucial cybersecurity defences sorted must set a compliance date — or be hauled back to Parliament House face fresh questioning over their lack of progress.
The Joint Committee of Public Accounts and Audit (JCPAA) has bluntly told agencies examined in an Australian National Audit Office (ANAO) audit into cyber attacks and the security of agency systems that it now intends to keep the spotlight trained on the issue and wants real progress made quickly.
The warning from JCPAA that it is prepared to effectively name and shame agencies over future lack of progress on cyber security is a potent threat because it could potentially hold-up progress on meeting a key Coalition policy objective to bring most government services online.
The Abbott government and Communications Minister Malcolm Turnbull have been vigorously pursuing a stated policy goal that at least 80 per cent of government communications will very quickly need to be transacted online.
“Part of our policy is to ensure by 2017, all interactions with the federal government, or all major interactions that involve a reasonable number of people can be conducted end-to-end digitally,” Mr Turnbull told an Enterprise Ireland breakfast in September 2014.
In the same speech Mr Turnbull said the most effective way to move the Australian economy “onto a digital plane is to get government onto a digital plane.”
But to get on the runway, many key agencies still have to complete IT security overhauls to ensure they are sufficiently protected from malicious actors that range from foreign espionage intrusions to criminal entities seeking client information to perpetrate online fraud.
And now top level concern over the pace of progress is clearly growing.
“The Committee is keenly aware of the importance of ensuring that the ICT systems of Australian government agencies are adequately protected from both internal and external threats,” the JCPAA said in its report.
“The Committee is concerned that, of the seven agencies audited, not a single agency was found to be fully compliant with the top four mitigation strategies and related controls in the ISM [Information Security Manual] at the time of audit and none of the agencies was expected to achieve full compliance by the mandated target date of July 2014.”
Part of the problem, which the Committee readily acknowledged, is that achieving compliance with the Australian Signals Directorate’s ‘Top Four’ IT security mitigation strategies.
One of the biggest challenges is patching corporate applications within agencies, especially for heavy technology users like Tax and Centrelink where there are literally thousands of programs that have built up over decades that need to be probed.
Additionally, sheer volume of work involved in achieving compliance makes it an almost impossible task for some agencies within the constraints of existing resources, a situation that forces difficult choices in terms of assigning priorities.
Now the JCPAA wants agencies to front up and show their hand on what it will take to get with the security program.
“The Committee acknowledges the comments from ASD and the selected agencies regarding the challenges that many agencies have faced and will continue to face when implementing these strategies,” the JCPAA report said.
However, the Committee cited its agreement with the ANAO’s comments that “where agencies are unable to comply fully with mandatory Government requirements within a specified timeframe, it is important that they develop a clear timetable and process to establish a path to compliance and guide implementation.”
The report goes on to say that each agency should produce “a clear and detailed plan of necessary activities, including a definitive date of compliance.”
“Agencies that do not expect to achieve full compliance before August 2015 should notify the Committee – the Committee may then seek an explanation of why full compliance is not expected to be achieved, as well as the mitigation strategies the agency has put in place,” the report cautioned.
The current Top Four IT security mitigation strategies:
• Application Whitelisting: designed to protect against unauthorised and malicious programs executing on a computer. This strategy aims to ensure that only specifically selected programs can be executed;
• Patching Applications: applying patches to applications and devices to ensure the security of systems;
• Patching Operating Systems: deploying critical security patching to operating systems to mitigate extreme risk vulnerabilities; and
• Minimising Administrative Privileges: restricting administrative privileges provides an environment that is more stable, predictable, and easier to administer and support as fewer users can make changes to their operating environment.
Source: ANAO, Attorney General’s Department, ASD
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter